The cybersecurity industry’s billion dollar scam

The cybersecurity industry can be romanticized as a crime-fighting cabal of protectors facing off against hackers to keep the Internet safe. In this version of the story, there are good guys and bad guys, and the good guys do everything they can to keep their adversaries at bay.

Unfortunately, this is just a story. The reality is that cybersecurity is a corrupt industry that needs bad guys to stay lucrative. Major security technology vendors are running a billion dollar con by selling software that they know won’t work. This scam makes them arguably more corrupt than the hackers themselves.

First, let’s establish that the security industry is, in fact, broken. The global cybersecurity market is set to be worth $75 billion in 2015 and experts estimate it will more than double to $155.74 billion by 2019. Companies are spending billions and billions of dollars on cybersecurity technology to protect themselves against security incidents, which are rising rapidly.

According to Price Waterhouse Coopers, the total number of security incidents has increased 66 percent year-over-year since 2009. In 2014, there were 117,339 incoming attacks a day, an increase of 48 percent over the year before, accompanied by a rise in financial losses. Not only are these attacks more frequent and expensive, but they are also happening on a larger scale – 77 million records stolen from JPMorgan, 80 million records stolen from Anthem, Target, Home Depot, Sony, and the list goes on.

The connection between more cybercrime and more spending is clear. What is not clear is that more spending on security technology has actually done anything to curb the crime. Most of the security products out there use 20th century technology against 21st century foes, and they are obviously failing.

Stale Bread

Tools from mainstream security vendors are primarily based on an outdated, antivirus approach that relies on having prior knowledge of an attack. Threats are detected by comparing a program’s software to known malware in a virus dictionary. If a piece of code matches an entry in the dictionary, this raises the red flag.

Most of the security products available on the market are just a half-step better than old antivirus products. This method fails today because it only works if an attack has been seen before. Modern cybercriminals are more sophisticated than that. We are no longer looking at kids in a dorm room coming up with annoying little hacks.

We are looking at professionals with the support of well-resourced crime syndicates and nation states who put millions of dollars into research and development. If you put a hundred million items on your security software’s blacklist, hackers will come up with an engineered attack that is the hundred millionth and one.

These approaches to security do not really protect anyone because what happened a day ago is not necessarily relevant to what is happening today. So beware of threat intelligence clouds, sandboxing, containerization, and white listing. They are all based on stale information and don’t work.

An Unholy Alliance

The companies that make these products sell them for millions of dollars, knowing that they won’t work. Then when they fail, the vendors ask for millions more dollars to tell their clients why they failed. It is a racket. Without the “robbers,” the “cops” have no business; the more breaches occur, the more money the cybersecurity companies make.

Why hasn’t this Unholy Alliance between hackers and cybersecurity vendors received more attention? And why do organizations keep buying their products? One factor is secrecy – the security industry is not transparent in an alleged effort to protect security, and this means that these inadequate products continue to sell and continue to fail. Marketing is another factor. It’s not the best product that wins, but the best marketed product.

A handful of large security companies are spending vast amounts of money in a marketing land grab for customers. They are succeeding in confusing the marketplace and convincing CSOs to go with them, because no-one ever got in trouble for going with an established and respected security vendor.

A Better Way

In order to be effective, security software can’t rely on prior knowledge. It has to somehow figure out what is happening without looking at a list, because that list is inevitably going to be stale and incomplete. A better approach is to use Big Data and machine learning, which make it possible to identify patterns and predict discrepancies in real-time based on actual circumstances, not old or useless information.

The major security vendors are not taking this approach because it is in their best interest to keep the breaches happening. For this, they are just as culpable as the hackers themselves. In addition to developing new, better approaches for preventing attacks, startups also have an opportunity to realign the goals of the security industry to put customers’ best interest at the core.